Friday, August 14, 2009

Overseeing Surveillance - Lessons from the UK Experience?

In a previous post I pointed out the remarkable lack of transparency in the oversight of surveillance in Ireland. This has become all the more worrying since July when the remit of this oversight system was extended (by the Criminal Justice (Surveillance) Act 2009) beyond telephone tapping and data retention to include also the planting of covert audio bugs, video cameras and gps trackers. In effect, the Designated Judge has now been given (by ad hoc extensions of his role) oversight of most forms of surveillance - with public accountability in respect of this oversight remaining limited to a single page annual report.

Two recently published documents from the UK illustrate a better model of oversight.

The first is the 2008 Report of the Interception of Communications Commissioner. The primary role of this official - a retired judge - is similar to that of the Irish Designated Judge in relation to interceptions and data retention. Unlike our uninformative annual report, however, the Interception Commissioner gives much more detail in relation to his work. Here are some examples:

In short, I meet officers in the agencies undertaking interception work and officials in the departments of the Secretaries of State/Ministers which issue the warrants. Prior to each visit, I obtain a complete list of warrants issued or renewed or cancelled since my previous visit. I then select, largely at random, a sample of warrants for inspection. These include both warrants and attendant certificates. In the course of my visit I satisfy myself that those warrants fully meet the criteria of RIPA, that proper procedures have been followed and that the relevant safeguards and Codes of Practice have been followed. During each visit I review each of the files and the supporting documents and discuss the cases with the officers concerned. I can, if I need to, view the product of interception. It is of paramount importance to ensure that the facts justified the use of interception in each case and that those concerned with interception fully understand the safeguards and the Codes of Practice...

During 2008, I visited a total of nine communication service providers (CSPs) and internet service providers (ISPs) consisting of the Royal Mail and the communications companies who are most engaged in interception work. These visits, mostly outside London, are not formal inspections but are designed to enable me to meet both senior staff in each company as well as the personnel who carry out the work on the ground, and for them to meet and talk to me. I have no doubt that the staff in the CSPs and ISPs welcome these visits. We discussed the work that they do, the safeguards that are in place, any errors that have occurred, any legal or other issues which are of concern to them, and their relationships with the intercepting agencies...

Fifty errors and breaches [in relation to interceptions] have been reported to me during the course of 2008. This is a marked increase when compared with the total of 24 errors and breaches reported in my last Annual Report. I consider the number of errors to be too high. By way of example, details of some of these errors are recorded below...

That report gives a similar level of detail in relation to communications data issues. Here's an example:

the police took swift action when information from a reliable source suggested that a number of very young children were at immediate risk of falling into the hands of a paedophile ring. Subscriber information relating to an Internet Protocol (IP) Address was obtained in order to locate an address for the children but unfortunately it would appear this was not correct. The police entered the address and arrested a person who was completely innocent and further enquiries are continuing. This was a very unfortunate error and the whole process of obtaining data relating to IP addresses has been re-examined. In this case there was confusion between the Internet Service Provider and the public authority over how the data should be interpreted, particularly in relation to the critical international time zones. Better checks and balances have been put in place to help clarify the process, which includes liaison with the SPoC trainers and these should help to prevent similar errors in the future.

The second recent document from the UK is the Report of the Chief Surveillance Commissioner for 2008/2009. This report covers some of the same areas where the Designated Judge now has responsibilities, particularly in relation to the planting of covert bugs and video surveillance. Again the level of review is quite detailed:

Common causes of errorThe areas that have received the most criticism on inspection – and this applies equally to all types of public authority – in this reporting period are:(a) a continuing failure on the part of Authorising Officers properly to demonstrate that less intrusive methods have been considered and why they have been discounted in favour of the tactic selected;(b) the continuing preference to interpret private information as limited to biographical data rather than recognise the wider meaning decided by the European Court of Human Rights. A specific act of surveillance may not be intrusive but a combination of acts may enable the construction of a profile; this requires careful consideration when judging whether an individual’s private life is subject to interference;(c) the failure of Authorising Officers, when cancelling authorisations, to give directions for the management and storage of the product of the surveillance;(d) the continuing confusion with regard to the need for authorisation when surveillance equipment (such as CCTV) is focused on an individual in a public place. It is not where the CCTV is placed (which may be overt or covert) but the manner in which the camera is used that is determinative of whether the surveillance is covert;(e) Authorising Officers not knowing the capability of the surveillance equipment which they are authorising. For instance, there are differences between video cameras that record continuously and those activated by motion; and between thermal image and infra-red capability. These differences may have an important bearing on how a surveillance operation is conducted and the breadth of the authorisation being granted. Therefore, a simple authorisation for ‘cameras’ is usually insufficient;(f) poor internal audit by senior management. The Central Record of Authorisations is often in a form not conducive to quick review or status check. Sometimes it is apparent that there has been no meaningful internal audit between OSC inspections; and(g) those conducting covert surveillance basing their activity on what was requested rather than on what was specifically authorised. R v Sutherland underpins the importance of briefing those conducting the surveillance beforehand on the specific authorisation.

The significance of these reports lies not so much in the specifics, but in the fact that they illustrate a more effective form of regulating surveillance. The Irish model - in which oversight is minimal and given as a part-time duty to a busy judge - seems increasingly unsustainable in comparison.